Introduction to the visual approach

You can create a valid network tree by dividing your network size
by 2, and continuing to divide each branch until you reach either a
single IP address or the smallest size network cluster that you wish to
define.

You must make sure that all the IP addresses in your network space belong to one (and only one) selected "leaf" of the tree.

You can select no more than six "leaves," and must cover your complete network space with the leaves you select.

Examples

In the examples below, five leaves are selected to define a network
range containing 128 hosts. (This leaves a sixth leaf available for the
IP addresses from 128 to 256, in order to cover a 256-unit IP space in
the six segments permitted to users of the campus firewall; however,
including all 256 units in these graphics would make the page
unreadable.)

Figure 1: The network tree

Because of the nature of binary calculation, a network containing
128 addresses will begin at 0 and end at 127, and each leaf will begin
on an even number (including 0). In each of the squares above, the top
number is the number of addresses in that segment of the network, and
the bottom numbers are the particular IP addresses included.

Selecting your leaves

There are three points to keep in mind when selecting your first leaf:

The first leaf must contain the first address in the network segment.
This is to ensure that the entire network range can be selected, in
accordance with the rule that states that "all IP addresses must be
covered."

Your first leaf should probably contain at least 16 addresses. (It may be helpful to select a leaf containing more.)
While not a hard and fast rule, the Network Design Office recommends
that you allow at least 10 IP addresses for network equipment at the
very beginning of a network space.

Your first leaf should probably be assigned to the Fully Closed group.
Again, this is not an absolute, but network equipment should normally
be assigned to a Fully Closed group. (As noted above, you may wish to
make this IP range larger than what network equipment alone would
require, since many workstations should also be in a Fully Closed
group.)

To illustrate these three points, the following example network is
using the 64-address leaf from 0-63 as its first selection, shown below
in Figure 2.

Figure 2: The first node

After your first leaf has been selected, we return to the rule
stating that "all IP addresses must be covered" for assistance in
determining what leaves are valid for a second selection.

In this case, since the first leaf ends with address 63, the second leaf must
begin with 64, as shown above. You can choose whichever size leaf you
wish, but the next one must be numerically adjacent to the first.

Figure 3: The second and third nodes

In this example, we've selected the 8-unit node from 64 to 71 as our next leaf.

While it is possible and permissible to continue subdividing leaves
to 4, 2, and 1, the restriction on the number of groups that may be
added to the firewall means that medium to large subnetworks won't use
such small divisions very often. (In addition, continuing to subdivide
to that scale would have made the graphic too large even for
high-resolution screens.)

Therefore, the third leaf selected is the 8-unit node from 72 to 79.
(The 16-unit node above it cannot be selected because it does not begin
with 72, as pointed out by the green circles in the graphic below.)

After these two nodes have been selected, we arrive at a choice of
leaves once more: there are 16-unit and 8-unit nodes available that
begin with address 80, shown below.

In this case, let's select the 16-unit node for our fourth. Choosing
smaller leaves means that you need more groups to cover from one end of
the range to another, and the upper limit is 6.

Figure 4: The fourth node

After selecting the 16-node leaf from 80 to 95, another decision point is reached; several leaves begin with 96.

Technically, any of them could be chosen; however, choosing the
8-node would mean that it would require the use of at least 7 leaves to
cover the full range. You could use your 6-leaf allotment by selecting
the two 16-nodes. You could also use 5 leaves for this 128-node network
segment and reserve the 6th for another future network segment.

Figure 5: The fifth node

For the sake of the example, we've chosen the 32-node leaf from 96 to 127 to finish the IP range.

This network distribution follows each of the rules and suggestions
for creating campus firewall-compatible network subdivisions:

(Required) Each IP address in the network space from 0 to 127 is included and belongs to one and only one group.

(Required) Each range begins on a subnet maskable number.

(Required) There are six or fewer groups used to describe the entire range.

(Recommended) The first group contains at least 10 IP addresses.

(Recommended) The first group can be assigned to the Fully Closed group.

From pictures to IP addressses and netmasks

The following table shows how to translate from leaves back to addresses, with the assistance of the netmask table in the Powers of Two page:

Leaf size

is equivalent to

Subnet mask

combined with

Starting address

to give

Leaf addresses

64

( -> )

/26

( + )

0

( = )

0-63

8

( -> )

/29

( + )

64

( = )

64-71

8

( -> )

/29

( + )

72

( = )

72-79

16

( -> )

/28

( + )

80

( = )

80-95

32

( -> )

/27

( + )

96

( = )

96-127

Using the "starting address" column as the IP address and the
"subnet mask" column as the range delimiter, you can translate the
graphic shown above into the following series of IP ranges for
submission to the campus firewall service:

Firewall group 1 - 192.168.0.0 /26

Firewall group 2 - 192.168.0.64 /29

Firewall group 3 - 192.168.0.72 /29

Firewall group 4 - 192.168.0.80 /28

Firewall group 5 - 192.168.0.96 /27

As mentioned above, the first range should probably belong to the
Fully Closed group. For similar reasons, it may also be useful to make
your final group a Fully Closed group; some network devices may also be
placed at the high end of the range, and Fully Closed is the most secure
firewall group. You can choose whichever firewall groups you wish,
however.